You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Infected system - need assistance

I have a system that I have just about thrown the kitchen sink at and still seems to come through as being infected. Attached are logs from MBAM, ADWCleaner and eSet. FYI, I have removed references to the username and computer name.

Line Found : user_pref("sweetim.toolbar.dialogs.1.url", "chrome://sim_toolbar_package/content/exampledialog.html");

Line Found : user_pref("sweetim.toolbar.dialogs.1.width", "500");

Line Found : user_pref("sweetim.toolbar.dialogs.2.enable", "true");

Line Found : user_pref("sweetim.toolbar.dialogs.2.handler", "chrome://sim_toolbar_package/content/cdadialog-handler.js");

Line Found : user_pref("sweetim.toolbar.dialogs.2.height", "150");

Line Found : user_pref("sweetim.toolbar.dialogs.2.id", "id_dialog_hide_disable_remove");

Line Found : user_pref("sweetim.toolbar.dialogs.2.title", "Option Dialog");

Line Found : user_pref("sweetim.toolbar.dialogs.2.url", "hxxp://www.sweetim.com/simffbar/simcdadialog.asp");

Line Found : user_pref("sweetim.toolbar.dialogs.2.width", "530");

Line Found : user_pref("sweetim.toolbar.dnscatch.domain-blacklist", ".*.sweetim.com/.*|.*.facebook.com/.*|.*.google.com/.*|.*.google.co.in/.*|.*.google.com.br/.*|.*.google.es/.*|.*.youtube.com/.*|.*.yahoo.com/.*|.[...]

Line Found : user_pref("sweetim.toolbar.highlight.colors", "#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");

Line Found : user_pref("sweetim.toolbar.keywordUrlGuard.enable", "false");

Line Found : user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel", "7");

Line Found : user_pref("sweetim.toolbar.logger.FileHandler.FileName", "ff-toolbar.log");

Line Found : user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize", "200000");

Line Found : user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel", "7");

Line Found : user_pref("sweetim.toolbar.mode.debug", "false");

Line Found : user_pref("sweetim.toolbar.newtab.created", "false");

Line Found : user_pref("sweetim.toolbar.newtab.enable", "false");

Line Found : user_pref("sweetim.toolbar.newtab.url", "hxxp://start.sweetpacks.com/?src=97&barid=$toolbar_id;&crg=$cargo;");

Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Line Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");

Line Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxps://login.salesforce.com/");

Line Found : user_pref("sweetim.toolbar.previous.keyword.URL", "");

Line Found : user_pref("sweetim.toolbar.rc.url", "hxxp://www.sweetim.com/simffbar/rc.html?toolbar_version=$ITEM_VERSION;&crg=$cargo;&flavour=$flavr;");

Line Found : user_pref("sweetim.toolbar.scripts.0.addcontextdiv", "true");

Line Found : user_pref("sweetim.toolbar.scripts.0.callback", "simVerification");

Line Found : user_pref("sweetim.toolbar.scripts.0.domain-blacklist", "");

Line Found : user_pref("sweetim.toolbar.scripts.0.domain-whitelist", "hxxp://(www.|apps.)?facebook\\.com.*");

Line Found : user_pref("sweetim.toolbar.scripts.0.elementid", "id_script_sim_fb");

Line Found : user_pref("sweetim.toolbar.scripts.0.enable", "false");

Line Found : user_pref("sweetim.toolbar.scripts.0.id", "id_script_fb");

Line Found : user_pref("sweetim.toolbar.scripts.0.url", "hxxp://sc.sweetim.com/apps/in/fb/infb.js");

Line Found : user_pref("sweetim.toolbar.scripts.1.addcontextdiv", "true");

Line Found : user_pref("sweetim.toolbar.scripts.1.callback", "simVerification");

Line Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");

Line Found : user_pref("sweetim.toolbar.scripts.1.domain-whitelist", "hxxps://(www.|apps.)?facebook\\.com.*");

Line Found : user_pref("sweetim.toolbar.scripts.1.elementid", "id_script_sim_fb");

Line Found : user_pref("sweetim.toolbar.scripts.1.enable", "false");

Line Found : user_pref("sweetim.toolbar.scripts.1.id", "id_script_fb_hxxpS");

Line Found : user_pref("sweetim.toolbar.scripts.1.url", "hxxps://sc.sweetim.com/apps/in/fb/infb.js");

Line Found : user_pref("sweetim.toolbar.scripts.2.addcontextdiv", "false");

Line Found : user_pref("sweetim.toolbar.scripts.2.callback", "");

Line Found : user_pref("sweetim.toolbar.scripts.2.domain-blacklist", ".*.google..*|.*.bing..*|.*.live..*|.*.msn..*|.*.yahoo..*|.*.youtube.com.*|.*ask.com.*|.*.sweetim.com.*");

Line Found : user_pref("sweetim.toolbar.scripts.2.domain-whitelist", "");

Line Found : user_pref("sweetim.toolbar.scripts.2.elementid", "id_predict_include_script");

Line Found : user_pref("sweetim.toolbar.scripts.2.enable", "false");

Line Found : user_pref("sweetim.toolbar.scripts.2.id", "id_script_prad");

Line Found : user_pref("sweetim.toolbar.scripts.2.url", "hxxp://cdn1.certified-apps.com/scripts/shared/enable.js?si=3104&tid=chff1");

Line Found : user_pref("sweetim.toolbar.search.history.capacity", "10");

Line Found : user_pref("sweetim.toolbar.searchguard.enable", "false");

Line Found : user_pref("sweetim.toolbar.searchguard.initialized_by_rc", "true");

Line Found : user_pref("sweetim.toolbar.simapp_id", "{1967101C-C71F-11E2-AFCC-E006E6AFB21B}");

Line Found : user_pref("sweetim.toolbar.urls.afteruninstall", "hxxp://toolbar.sweetpacks.com/uninstallbar.asp?barid=$toolbar_id;&flavour=$flavr;");

Line Found : user_pref("sweetim.toolbar.urls.contactus", "hxxp://www.perion.com/contact-us");

Line Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={1967101C-C71F-11E2-AFCC-E006E6AFB21B}");

Line Found : user_pref("sweetim.toolbar.urls.privacy", "hxxp://www.perion.com/privacy-policy");

Line Found : user_pref("sweetim.toolbar.urls.searchpage", "hxxp://start.sweetpacks.com/?barid=$toolbar_id;");

Line Found : user_pref("sweetim.toolbar.urls.uninstall", "hxxp://toolbar.sweetpacks.com/uninstall");

Line Found : user_pref("sweetim.toolbar.version", "1.13.0.1");

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_WSG_blackList", "form=CONTLB|babsrc=toolbar|babsrc=tb_ss|invocationType=tb50-ie-aolsoftonic-tbsbox-en-us|invocationType=tb50-ff-aolsoftonic[...]

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_WSG_referrer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&[...]

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_WSG_temp_referer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavi[...]

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_product_name", "Updater By SweetPacks");

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_WSG_blackList", "form=CONTLB|babsrc=toolbar|babsrc=tb_ss|invocationType=tb50-ie-aolsoftonic-tbsbox-en-us|invocationType=tb50-ff-aolsoftonic[...]

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_WSG_referrer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&[...]

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_WSG_temp_referer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavi[...]

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_product_name", "Updater By SweetPacks");

Line Found : user_pref("sweetim.toolbar.dialogs.1.url", "chrome://sim_toolbar_package/content/exampledialog.html");

Line Found : user_pref("sweetim.toolbar.dialogs.1.width", "500");

Line Found : user_pref("sweetim.toolbar.dialogs.2.enable", "true");

Line Found : user_pref("sweetim.toolbar.dialogs.2.handler", "chrome://sim_toolbar_package/content/cdadialog-handler.js");

Line Found : user_pref("sweetim.toolbar.dialogs.2.height", "150");

Line Found : user_pref("sweetim.toolbar.dialogs.2.id", "id_dialog_hide_disable_remove");

Line Found : user_pref("sweetim.toolbar.dialogs.2.title", "Option Dialog");

Line Found : user_pref("sweetim.toolbar.dialogs.2.url", "hxxp://www.sweetim.com/simffbar/simcdadialog.asp");

Line Found : user_pref("sweetim.toolbar.dialogs.2.width", "530");

Line Found : user_pref("sweetim.toolbar.dnscatch.domain-blacklist", ".*.sweetim.com/.*|.*.facebook.com/.*|.*.google.com/.*|.*.google.co.in/.*|.*.google.com.br/.*|.*.google.es/.*|.*.youtube.com/.*|.*.yahoo.com/.*|.[...]

Line Found : user_pref("sweetim.toolbar.highlight.colors", "#FFFF00,#00FFE4,#5AFF00,#0087FF,#FFCC00,#FF00F0");

Line Found : user_pref("sweetim.toolbar.keywordUrlGuard.enable", "false");

Line Found : user_pref("sweetim.toolbar.logger.ConsoleHandler.MinReportLevel", "7");

Line Found : user_pref("sweetim.toolbar.logger.FileHandler.FileName", "ff-toolbar.log");

Line Found : user_pref("sweetim.toolbar.logger.FileHandler.MaxFileSize", "200000");

Line Found : user_pref("sweetim.toolbar.logger.FileHandler.MinReportLevel", "7");

Line Found : user_pref("sweetim.toolbar.mode.debug", "false");

Line Found : user_pref("sweetim.toolbar.newtab.created", "false");

Line Found : user_pref("sweetim.toolbar.newtab.enable", "false");

Line Found : user_pref("sweetim.toolbar.newtab.url", "hxxp://start.sweetpacks.com/?src=97&barid=$toolbar_id;&crg=$cargo;");

Line Found : user_pref("sweetim.toolbar.previous.browser.search.defaultenginename", "");

Line Found : user_pref("sweetim.toolbar.previous.browser.search.selectedEngine", "");

Line Found : user_pref("sweetim.toolbar.previous.browser.startup.homepage", "hxxps://login.salesforce.com/");

Line Found : user_pref("sweetim.toolbar.previous.keyword.URL", "");

Line Found : user_pref("sweetim.toolbar.rc.url", "hxxp://www.sweetim.com/simffbar/rc.html?toolbar_version=$ITEM_VERSION;&crg=$cargo;&flavour=$flavr;");

Line Found : user_pref("sweetim.toolbar.scripts.0.addcontextdiv", "true");

Line Found : user_pref("sweetim.toolbar.scripts.0.callback", "simVerification");

Line Found : user_pref("sweetim.toolbar.scripts.0.domain-blacklist", "");

Line Found : user_pref("sweetim.toolbar.scripts.0.domain-whitelist", "hxxp://(www.|apps.)?facebook\\.com.*");

Line Found : user_pref("sweetim.toolbar.scripts.0.elementid", "id_script_sim_fb");

Line Found : user_pref("sweetim.toolbar.scripts.0.enable", "false");

Line Found : user_pref("sweetim.toolbar.scripts.0.id", "id_script_fb");

Line Found : user_pref("sweetim.toolbar.scripts.0.url", "hxxp://sc.sweetim.com/apps/in/fb/infb.js");

Line Found : user_pref("sweetim.toolbar.scripts.1.addcontextdiv", "true");

Line Found : user_pref("sweetim.toolbar.scripts.1.callback", "simVerification");

Line Found : user_pref("sweetim.toolbar.scripts.1.domain-blacklist", "");

Line Found : user_pref("sweetim.toolbar.scripts.1.domain-whitelist", "hxxps://(www.|apps.)?facebook\\.com.*");

Line Found : user_pref("sweetim.toolbar.scripts.1.elementid", "id_script_sim_fb");

Line Found : user_pref("sweetim.toolbar.scripts.1.enable", "false");

Line Found : user_pref("sweetim.toolbar.scripts.1.id", "id_script_fb_hxxpS");

Line Found : user_pref("sweetim.toolbar.scripts.1.url", "hxxps://sc.sweetim.com/apps/in/fb/infb.js");

Line Found : user_pref("sweetim.toolbar.scripts.2.addcontextdiv", "false");

Line Found : user_pref("sweetim.toolbar.scripts.2.callback", "");

Line Found : user_pref("sweetim.toolbar.scripts.2.domain-blacklist", ".*.google..*|.*.bing..*|.*.live..*|.*.msn..*|.*.yahoo..*|.*.youtube.com.*|.*ask.com.*|.*.sweetim.com.*");

Line Found : user_pref("sweetim.toolbar.scripts.2.domain-whitelist", "");

Line Found : user_pref("sweetim.toolbar.scripts.2.elementid", "id_predict_include_script");

Line Found : user_pref("sweetim.toolbar.scripts.2.enable", "false");

Line Found : user_pref("sweetim.toolbar.scripts.2.id", "id_script_prad");

Line Found : user_pref("sweetim.toolbar.scripts.2.url", "hxxp://cdn1.certified-apps.com/scripts/shared/enable.js?si=3104&tid=chff1");

Line Found : user_pref("sweetim.toolbar.search.history.capacity", "10");

Line Found : user_pref("sweetim.toolbar.searchguard.enable", "false");

Line Found : user_pref("sweetim.toolbar.searchguard.initialized_by_rc", "true");

Line Found : user_pref("sweetim.toolbar.simapp_id", "{1967101C-C71F-11E2-AFCC-E006E6AFB21B}");

Line Found : user_pref("sweetim.toolbar.urls.afteruninstall", "hxxp://toolbar.sweetpacks.com/uninstallbar.asp?barid=$toolbar_id;&flavour=$flavr;");

Line Found : user_pref("sweetim.toolbar.urls.contactus", "hxxp://www.perion.com/contact-us");

Line Found : user_pref("sweetim.toolbar.urls.homepage", "hxxp://start.sweetpacks.com/?src=10&st=12&crg=3.5000006.10042&barid={1967101C-C71F-11E2-AFCC-E006E6AFB21B}");

Line Found : user_pref("sweetim.toolbar.urls.privacy", "hxxp://www.perion.com/privacy-policy");

Line Found : user_pref("sweetim.toolbar.urls.searchpage", "hxxp://start.sweetpacks.com/?barid=$toolbar_id;");

Line Found : user_pref("sweetim.toolbar.urls.uninstall", "hxxp://toolbar.sweetpacks.com/uninstall");

Line Found : user_pref("sweetim.toolbar.version", "1.13.0.1");

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_WSG_blackList", "form=CONTLB|babsrc=toolbar|babsrc=tb_ss|invocationType=tb50-ie-aolsoftonic-tbsbox-en-us|invocationType=tb50-ff-aolsoftonic[...]

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_WSG_referrer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&[...]

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_WSG_temp_referer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavi[...]

Line Found : user_pref("{8E9E3331-D360-4f87-8803-52DE43566502}.ScriptData_product_name", "Updater By SweetPacks");

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_WSG_blackList", "form=CONTLB|babsrc=toolbar|babsrc=tb_ss|invocationType=tb50-ie-aolsoftonic-tbsbox-en-us|invocationType=tb50-ff-aolsoftonic[...]

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_WSG_referrer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&[...]

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_WSG_temp_referer", "hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavista&itag=ody&q=hxxp://us.yhs4.search.yahoo.com/yhs/search?fr=altavi[...]

Line Found : user_pref("{C4CFC0DE-134F-4466-B2A2-FF7C59A8BFAD}.ScriptData_product_name", "Updater By SweetPacks");

Save any unsaved work. (TFC will close ALL open programs including your browser!)

Double-click on TFC.exe to run it. (If you are using Vista, right-click on the file and choose "Run As Administrator".)

Click the Start button to begin the cleaning process and let it run uninterrupted to completion.

Important! If TFC prompts you to reboot, please do so immediately. If not prompted, manually reboot the machine anyway allowing Windows to load normally (not into Safe Mode) to ensure a complete clean.

Run the tool by double-clicking it. If you are using Windows Vista, 7, or 8; instead of double-clicking, right-mouse click JRT.exe and select "Run as Administrator".

The tool will open and start scanning your system.

Please be patient as this can take a while to complete depending on your system's specifications.

On completion, a log (JRT.txt) is saved to your desktop and will automatically open.

Post the contents of JRT.txt into your next message.

.
..
>>>>

Please download MiniToolBox, save it to your desktop and run it.
Checkmark the following checkboxes:
[list]

Flush DNS

Report IE Proxy Settings

Reset IE Proxy Settings

Report FF Proxy Settings

Reset FF Proxy Settings

List content of Hosts

List IP configuration

List Winsock Entries

List last 10 Event Viewer log

List Installed Programs

List Users, Partitions and Memory size.

Click Go and post the result (Result.txt). A copy of Result.txt will be saved in the same directory the tool is run.Note: When using "Reset FF Proxy Settings" option Firefox should be closed

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook

Finally got time in front of the system and started the cleanup (still underway). Wanted to report the RKILL findings, however, as it points to a ZEROACCESS exploit. Is there anything different we should do at this point?

Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Date: 2014-04-02 11:45:32.655

Description: Windows is unable to verify the image integrity of the file \Device\HarddiskVolume2\ComboFix\catchme.sys because file hash could not be found on the system. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

Click 'Start Scan'. If an update is available, click the Update Now button.

When the scan is complete, if there have been detections, click Apply Actions.

Wait for the prompt to restart the computer to appear, then click on Yes.Note:If there were no detections, you can click on the 'View detailed log' link after the scan completes.

How do I get help? Who is helping me?For the time will come when men will not put up with sound doctrine. Instead, to suit their own desires, they will gather around them a great number of teachers to say what their itching ears want to hear....Become a BleepingComputer fan: Facebook